The FEAL Cipher Family
Shoji MYAGUCHI
Co,mmvnications and Information Processing Laboratories, NTT l-2356, Take, Yokosuka-shi, I{anagawa, 23843 Japan
1 FEAL cipher family FEAL-8 has been expanded to FEAL-N (N round FEAL with 64-bit key), where FEAL-N with N=4/8 is identical to FEAL-4/- 8 which have been previously published respectively. N is a user defined parameter (N>4, N:even, N=2”, 2 >2 is recommended). FEAL-N has also been expanded to FEAL-NX (X: expansion, N round FEAL with 12%bit key) that accepts la&bit keys. When the right half of the 128-bit key is all zeros, FEAL-NX works as FEAL-N. Upward compatibility is an important concept of the FEAL cipher family (I].
2 Round number N The author believes that most cipher applications can avoid cho- sen plaintext attacks by the countermeasures described in Annex-l. Increased N in FEAL-N or FEAL-NX can avoid chosen plaintext at- tacks. Where the countermeasures are applicable, small values of N (eg. N=8) should b e used. If none of the countermeasures can be applied or their effectiveness is unclear, the value of N in FEAL-N or FEAL-NX should be increased.
3 64-bit key and 128-bit key The author thinks that exhaustive searches for FEAL-N 64-bit keys may be possible if LSI technology advances sufficiently, as shown in Annex-2. He feels that FEAL-N may weaken against exhaustive search within one to two decades. Therefore, FEAL-NX which ac- cepts 128-bit keys has been designed.
A.J. Menezes and S.A. Vanstone (Eds.): Advances in Cryptology - CRYPT0 ‘90, LNCS 537, pp. 627-638, 1991. 0 Springer-Verlag Berlin Heidelberg 1991 629
ECB mode. This case includes the situation where the attacker uses the tool without permission of the victim. 2 Countermeasures One of the following may lie effective to prevent the attack. (1) Elimination of cooperation and improper use A cipher user should not encipher data from outside (possible chosen plaintexts) in the ECB mode using his secret key, and then return the ciphertexts so generated. He also should not provide an encipherment tool that outputs data enciphered in the ECB mode using the user’s secret key, i.e. eliminate user cooperation with the attacker, improper uses of the cipher as in Case-1 or Case-2 above. (2) Inhibitation of the ECB ECB mode should be inhibited, and CBC or CFB modes (feed- back modes, see IS08372) should be used(t). Initial va41uesof each mode are changed with each use of the cipher. The cipher user de- termines the initial value, IV, with his rule that is secret to others (possible attackers). The value of IV may be revealed after the first block of plaintexts is given. If the initial value IV must be sent to the receiver, it can be appended to the head of the ciphertext. t : 1nternationa.l standards, IS08732, IS09160 and IS010126, rec- ommend the use of CBC or CFB modes in cipher communications. (3) Key changes : The key, the target of chosen plaintext attack should be changed after each key use (tt). tt : International standard, IS08732, recommends that the key be changed for each communication session. (4) Miscellaneous: Individual countermeasures can be devel- oped for each cipher application. For instance, if the volume of cho- sen plaintexts is 1 Mega-byte, maximum data is limited to a lesser volume (eg. 100 kilo-byte) within one key lifetime.
Annex-2 Exhaustive search for 64-bit keys 1 Progress of LSI C-MOS technology A rough approximation is that LSI processing speed is inversely proportional to the channel width while LSI integrated transistor density is inversely proportional to the square of the channel width. The past decade has shown that LSI channel width has decreased to one third of the original width; consequently, processing speeds 630 have roughly tripled and the transister density has increased by a factor of 10. It is predicted that similar LSI technology advances will continue in the future. 2 FEAL-attack LSI chip Assume that a special FEAL-attack LSI chip can be fabricated, i.e., enciphering speed of the chip is 3 times the current speed, 300 Mbps E 3~ 96 Mbps (3x speed of current FEAL-8 chip). The chip has ten FEAL-N processing elements, while chip price is 20 US dollars. 3 Exhaustive search equipment The equipment includes 100,000 FEAL-attack chips. The eqip- ment inputs one plaintext (P)and its ciphertext (C) which was en- ciphered by a secret key, and enciphers P repeatedly and in parallel using key 1i-i for i from i=l to 264, producing ciphertext C, and com- paring C, to C. Here, the key I Annex-3 Comparison of Chosen plaintext attack and Ex- haustive search The author believes that a chosen plaintext attack (CPA) on 264 hlocks is extremely ineffective, and cannot be equated with ex- haustive search on 264 keys, even if the count6rmearsures to cP.4 described in Anrider-1 am ignored. The reasons are: (a) A cipher user (victim) or attacker has to use encipherment equip- ment that inpiit/outputs texts at a speed of 300 Tera-bps which cannot he realized, if the speed of CPA is comparable with that for exhaustive search (see Clause 3 of Annex-2). (b) The sheer vollime of data to be transferred, 264 x 8 bytes (1.47 X lo2’ bytes), prevents CPA within any reasonable period or price. To the author, it seeins to be questionable to compare the num- her of chosen plaintext attacks with that of czhaustive search, when the number is very big such as 2(j4. This comparison may lead to the misunderstanding that both attacks might be equally strong. Annex-4 Prograniiniiig techniques for FEAL I’rograinniing exainples of S functions of FEAL are shown below. 1 Program example using 1-bit left rotation instruction If a I-bit (or 2-hit) left rotation is used, ,So/S1 Functions can be coded easily. S~(.l-l,Ll-2)= ICot2( (.XI + .Y2 + 1 ) mod 256 ) is given below in typical 16-bit pp assembly language. add R1, R2 ; Rl - (Itl) + (R2) mod ’256, where Xl/X? is in Rl/R2. inc R1 ; R1 - (Rl) + 1 rot R1 ; R1 + 1-bit left rotation on (Rl) rot R1 ; R1 - 1-bit left rotation on (Rl) 2 Table search technique: This is suitable for processors that have a base register to point the table. The idea is shown for SI(XI,X,) = Rot2( (-Y1 + X:! + 1) mod 256) Step-1: X - XI + Xr2 (add XI and X2.then sum is stored into X) Step-2: Y - 2-bit left rotation on (X+l) froin table pointed S 3 Note: Program coding of paired stages in FEAL data ran- domization is very useful to decrease dynamic program steps. 632 Annex-5 FEAL Specifications This Annex uses the following conventions and notations. (1) A,Ar, ... : blocks (2) (A,B, . . .): concatenation of blocks in this order (3) A B: exclusive-or operation of A and B (4) C#J : zero block, 32-bits long (5) =: Transfer from left side to right side (6) Bit position: 1,2,3,. . . from the first left side bit (MSB) in a block towards the right. 1 FEAL options (1) Round number (N): Determines the round number (N) for FEAL data randomization, where N 2 4 and even. 2", x>2 is recom- mended. (2) Key parity: Indicates: (a) Use of key parity bits in a key-block, or (b) Non-use of key parity bits in a key-block 2 Enciphering algorithm Plaintext P is separated into Lo and I& of equal lengths (32 bits), i.e., P = (Lo,&). First, (Lo,&) = (Lo,Ro) @ (~~N,~~N+l,Ii'N+2,~~NS3) Next, (Lo,Ro) = (Lo,Ro) @ (4, Lo) Next, and calculate the equations below for r from 1 to N iteratively, Rr = Lr-I tz, f(&-1, ~{T-I) L, = R,--i where extended keys K,s are defined in Clause 4, and function f is defined in Clause 5. Output of r-th round is (LT,Rr). 633 Interchange the final output of the iterative calculation, ( LN,RN), into ( RN,LN). Next calculate: (RN, LN) = (RN,LN) 6 ($7 RN) Lastly, (RN,LN) = (EN,LN) &, (I 3 Deciphering algorithm Ciphertext ( RN,LN ) is separated into RN and L,v of equal lengths. First, (RN,LN) = (&N,LN) @ (li~+.l,f~,~+j,I~Ar+6rIiNtT) Next, (RN,LA') = (RN,LN) 3 (4, RN) Next, calculate the equations below for I' from N to 1 iteratively, L-1 = Rr 3 f(L,L-11 R,-1 = L, Interchange the final output of the iterative calculation, (&, Lo), into (LO,Ro). Next calculate: (Lo,Ro) = (Lo,Ro) 63 (#,Lo) Lastly, (LO?Ro) = (Lo,Ro) CE WN,KVt1, IiiVt2, Ih+3) Plaintext is given as (Lo,&). Data randomization for the encipher- ing / deciphering algorithms is shown in Figure 1. First , the key schedule of FEAL-NX is described, where the functions used are defined in clause 5. The key schedule yields the extended key fi; (i=0,1,2,. . .,N+7) from the 128-bit key. 4.1 Definition of left key 1;~and right key I~R Inputted 128-bit key is equally divided into a 64-bit left key, fcL, and a 64-bit right key, I 4.2 Parity bit processing (1) Non-use of key parity bits: There is no special processing here. (2) Use of key parity hits: Bit positions, 8, 16, 24, 32, 40, 48, 56, 64, of both I (I~R= ( I~RI,I Qr = I Br = f~<(a,P)= f~<(Ar-~?(Br-l CB Dr-1 @ Qr)) 1{2(1--1) = (BrO, Brl), I{z(r-l)+l = (Br27Br3) where Ar,Br, Dr and &,are auxiliary variables. Br = (BTo,Brl, Br2, Br3)- Bra,. . . , Br3 are each 8 bits long. Function fIc is the same as in FEAL-N. The key schedule of FEAL-NX is shown in Figure 2. 4.4 Key schedule of FEAL-N The FEAL-N key schedule is equivalent to the FEAL-NX key schedule when I{L is the 64-bit key of FEAL-N and KR is all zeros, where the temporary variable Qr=q5. 635 Let A0 be the left half of the 64-bit key and let Bo be the right, i.e., the 64-bit key= (Ao,Bo) and Do = 4. Then calculate I<,( i = 0 to N+'i ) for r = 1 to (1V/2) + 4, (N 2 4, N:even) Dr = AT-1, A, = Br-1 Br = f~\*(a,B)= fI<(LAr-l,(Br-1 or-1)) 1{2(r-I) = (BrO, Bt-l)? 1(2(t---1)+1 = (Br2rBr3) 5 Functions 5.1 Function f (see also Figure 3) f(a,P)is shortened to f. cy and /3 are divided as follows. where ai, and Pi are $-hits long. Functions So and S1 are defined in clause 5.3. a = (ao,a1,az,a.a),1) = (ijl0,Bl). f = (fo,fi, f2,f3) are calculated in the sequence (1) to (8). (1) fl = a1 @Po, (2) fz = a2 @Pl (3) fl = fl @ a07 (4)fi = f2 @ a3 (5)fi = si(fi,fi), (6) f2 = So(f2,fi) (7) fo = SO(QO,fl), (8) f3 = Sl(a3,f2) Example zn hex: Inputs: cy = OOFF FFOO, p = FFFF, Output: f = 1004 1044 5.2 Function flL- (see also Figure 4) Inputs of function flc, a and ,9,are divided into four 8-bit blocks as: = (Q0,al,a2,a3), P = (pO,Bl,p27D3)* f~(cr,,B)is shortened to f. fIi = (fIcO,flcl,fK2, fIc3) are calculated in the sequence (1) to (6). (1) fll-1 = a1 63 Qo, (2) fK2 = a2 a3 (3) fKl = Sl(fiil,(fl<2 w301), (4) fK2 = SO(fli2,(fl\.I @P1)) (5) f~o= So(ao, (flc1 @ Pz)), (6) f~3= &(w, (fmD3)) Example in hex: Inputs: cy = 0000 0000, ,L? = 0000 0000, frc = 1004 1044 636 5.3 Function S So and 5’1 are defined as follows: So(Xl,,rl-,)=Rot2((,TLrl + -1’2)mod 256) S1(~l,I~-?)=Rot2((X1+ .Yz + 1) mod 256) where X1andS~are &bit hlocks and Rot2(T)is the result of a 2-bit left rotation operation on %bit block, T. Emmple: Suppose XI= 00010011, X? = 1i11oOiO then T = (XI + Xi2 + 1) mod 256= 00000110 S1(&,X?) = RotZ(T)= 00011000 6 Example of working data in hex (1) Working data for FEAL-8 Parameters: Round number N=8 and non-use of key parity bits. (a) Key: = 0123 4567 89AB CDEF (b) Extended key: KO= DF3B, I<1 = CA36, I Qi 32b (KB, KI) AI f K CO 1 (K2, K3) 83" •KN-i { K0) (R.) RN-I (LI) DN'2+3 B N^ AN/2+3 f K 32b 32b LH} LN (Ra] 32b 32b 64b (KN + 6. KH + 7) Qr=KR,eKR2,r=l,4,. {} : Deciphering (KN + 4 to KN + T) K2(r-i) : Left half of Br Qr=KRi, r=2,5,- f ( (KN to KN*3) } K2 Ciphertext (Plaintext) block Number of iterations is (N/2)+4 KR= (KRI, KR2 ) Fig. 1 Data Randomization Fig. 2 Key Schedule of FEAL (FEAL-NX) 638 . f?j bits Y = Sa( X1,X2 ) = RotZ((XltX2) mod256) Y = Si( X1,XZ ) = Rot2((Xl+X2+1) mod256) Y: output(8 bits), Xl/X2(8 bits): inputs, Rot2(Y): a 2-bit left rotation on 8-bit data Y Fig. 3 f -function 8 bits wfK (a, L3 ) Note: Sa/Sjai'Bi: are the same as Se/Sj in f -function Fig. 4 f K-function